Certain types of on-line services and applications are targets for hackers and other malicious individuals attempting to gain access to sensitive user information. This is particularly true for on-line financial applications such as Internet banking, on-line payment sites, and on-line brokerages. Common techniques used by hackers include the installation of viruses, Trojan horses, or spyware on a user's computer, phishing schemes where a user is tricked into accessing a fake website having the look and feel of the legitimate site, and man-in-the-middle attacks involving the interception of communication from the user's computer and an external server or device.
Because of the risk associated with offering these on-line services over a relatively insecure network such as the Internet, federal regulators such as the Federal Financial Institutions Examination Council, have urged service providers to implement strong authentication for certain on-line financial applications and services. In particular, multi-factor authentication has been discussed as the preferred method for strong authentication. Authentication methodologies for individuals are generally involve three factors: something the user is (e.g., a biometric such as a fingerprint), something the user has (e.g., a security token generating a one-time password), and something the user knows (e.g., a password). Authentication methods that utilize more than one factor are more difficult to compromise than methods relying on a single factor.
Often when a user signs up or enrolls with a service provider for a financial service, the service provider will issue a token such as a smartcard, which enables the user to perform financial payment transactions such as making charges to or debits from the account. In many circumstances, because of the complexity of cryptographic key management and other factors, the service provider does not provide a fully cryptographically enabled smartcard. Alternatively, the service provide may not activate the cryptographic capabilities of the smartcard for transactional use.
In addition, a service provider may provide on-line applications or services to its users. For example, a service provider may provide access to an on-line financial account such as a bank account. Accordingly, a user may log-in to the account to perform the following actions, including but not limited to, moving money from one account to another, changing billing information, and receiving literature. Many of these transactions do not involve a financial payment transaction (e.g., using the smart card to perform a debit or credit transaction) for which a smartcard would normally be used. As described above, many of these on-line applications require an authentication factor in addition to a log-in/password combination.
Because the smartcard does not have cryptographic capabilities or does not have its cryptographic capabilities enabled, the smartcard by itself may not meet the security requirements necessary for an additional authentication factor. However, issuing and maintaining additional security tokens to be used as an additional authentication factor for accessing on-line services and applications may be cost prohibitive for many service providers.
What is therefore needed is methods and systems for utilizing existing smartcard capabilities as an authentication factor for on-line applications or services.
The present invention will now be described with reference to the accompanying drawings. In the drawings, like reference numbers can indicate identical or functionally similar elements. Additionally, the left-most digit(s) of a reference number may identify the drawing in which the reference number first appears.